Commit Graph

1612 Commits

Author SHA1 Message Date
Andrea Marchesini
912e678ea6 Bug 1322514 - nsIPrincipal::GetOrigin should use the parent principal when dealing with blobURL, r=ehsan 2016-12-08 10:44:59 -10:00
Andrea Marchesini
f7f5990527 Bug 1317927 - Media caching needs to use origin attributes, r=cpearce, r=jesup 2016-12-07 07:07:09 -10:00
Gijs Kruitbosch
d1260ddfab Bug 1318664 - fix about pages linking to themselves with query parameters, r=bz
MozReview-Commit-ID: Dsqj0L4aIlv

--HG--
extra : rebase_source : 5fde285885cfa4a14200aefc70d1f2395d67d92f
2016-11-23 18:26:44 +00:00
Andrea Marchesini
43e2ee7f71 Bug 1318727 - BroadcastChannel should support data URL - part 2, r=me 2016-11-30 15:31:09 +01:00
Andrea Marchesini
a9a05a834d Bug 1318727 - BroadcastChannel should support data URL, r=smaug 2016-11-30 15:13:27 +01:00
Dragana Damjanovic
898f6d8b2a Bug 1317641 - Some loadinfo security flags should not apply in case of a redirect. r=bz
--HG--
extra : rebase_source : aaebbb8628801871e09bc583b3b11a9908b77b92
2016-11-23 17:54:58 -05:00
Andrea Marchesini
dd1d53bd2b Bug 1319045 - Get rid of nsPrincipal::GetOriginFromURI, r=qdot 2016-11-22 12:38:41 +01:00
Andrea Marchesini
2f974ccbce Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 1, r=qdot 2016-11-18 09:33:33 +01:00
Sebastian Hengst
7110a88674 Backed out changeset d43b778d95c6 (bug 1318273) for failing mochitest fetch/test_formdataparsing.html. r=backout on a CLOSED TREE 2016-11-17 20:58:38 +01:00
Andrea Marchesini
cf2ad8072f Bug 1318273 - Improve the use of SpecialPowers.pushPrefEnv() - part 1, r=qdot 2016-11-17 19:36:01 +01:00
Ehsan Akhgari
d07f79a266 Bug 1318210 - Remove nsIAppsService; r=baku 2016-11-17 10:41:36 -05:00
Ehsan Akhgari
5cc591dc59 Bug 1318209 - Remove mozIApplication; r=baku 2016-11-17 10:12:43 -05:00
Andrea Marchesini
d5b0cbe35a Bug 1315905 - Cleanup Necko http security check - part 1, r=valentin 2016-11-17 14:52:16 +01:00
Ehsan Akhgari
eac76d9772 Bug 1310845 - Remove support for mozapp iframes; r=fabrice,jryans,baku,mcmanus
This patch removes support for mozapp iframes, leaving support for
mozbrowser iframes intact.  Some of the code has been rewritten in order
to phrase things in terms of mozbrowser only, as opposed to mozbrowser
or app.  In some places, code that was only useful with apps has been
completely removed, so that the APIs consumed can also be removed.  In
some places where the notion of appId was bleeding out of this API, now
we use NO_APP_ID.  Other notions of appId which were restricted to this
API have been removed.
2016-11-16 09:13:38 -05:00
Carsten "Tomcat" Book
3eacc680db Backed out changeset 7d1f7dd996f7 (bug 1310845) 2016-11-16 14:50:44 +01:00
Ehsan Akhgari
cb369370b3 Bug 1310845 - Remove support for mozapp iframes; r=fabrice,jryans,baku,mcmanus
This patch removes support for mozapp iframes, leaving support for
mozbrowser iframes intact.  Some of the code has been rewritten in order
to phrase things in terms of mozbrowser only, as opposed to mozbrowser
or app.  In some places, code that was only useful with apps has been
completely removed, so that the APIs consumed can also be removed.  In
some places where the notion of appId was bleeding out of this API, now
we use NO_APP_ID.  Other notions of appId which were restricted to this
API have been removed.
2016-11-15 18:31:46 -05:00
Gijs Kruitbosch
82d475be93 Bug 1309310, r=bz
MozReview-Commit-ID: KLaMv6zfxR8

--HG--
extra : rebase_source : ccb4d19c874230c512010d3891aae33a69947f62
2016-11-09 18:25:11 +00:00
Tim Huang
950b86072e Bug 1313627 - Get the firstPartyDomain from the nodePrincipal of the document in nsDocShell::CanAccessItem() if the first party isolation is on. r=smaug 2016-11-10 14:20:38 +08:00
Christoph Kerschbaumer
f2776f1b8d Bug 1308889 - Try to explicitly pass aTriggeringPrincipal and aPrincipalToInherit to DoURILoad(). r=bz 2016-11-08 07:23:12 +01:00
Valentin Gosu
656872593e Bug 1315302 - Remove signedPkg from origin attributes r=baku
MozReview-Commit-ID: L1xvRgeO6De

--HG--
extra : rebase_source : dee943054af499b6e3f0aca2801fa9414f5567be
2016-11-06 16:15:36 +01:00
Sebastian Hengst
8ed57a9dc8 Bug 1310297 - Remove test annotations using b2g, mulet or gonk: caps. r=RyanVM
MozReview-Commit-ID: DXTWNHWatEv

--HG--
extra : rebase_source : da5e99ba431f1bc826101d8cc1e1bcb599aaa5fb
2016-11-05 11:29:13 +01:00
Kris Maglione
8b10d432c1 Bug 1308920: Part 1 - Add an EqualsIgnoringAddonId method to BasePrincipal. r=bholley
This is meant as a temporary stopgap until we can stop using origin attributes
to store add-on IDs.

MozReview-Commit-ID: DHstOTyu7pR

--HG--
extra : rebase_source : adb8fbfaadf6e914b5aa15c2693a35056669506c
2016-11-02 10:04:13 -07:00
Dave Huseby
ce82855c42 Bug 1189086 - Eliminate nsIPrincipal::jarPrefix. r=dveditz 2016-10-24 13:52:00 +02:00
Tom Tromey
0dc689acdd Bug 553032 - use MOZ_FORMAT_PRINTF in js; r=evilpie
MozReview-Commit-ID: DD3DJRkOxmC

--HG--
extra : rebase_source : 61cdf0da1a82b626abc79209ee41e43c3bb152ca
2016-10-11 12:44:40 -06:00
Sebastian Hengst
9e31a95f74 Backed out changeset 2bfd163f23f9 (bug 553032) 2016-10-19 18:29:36 +02:00
Tom Tromey
5b851428f8 Bug 553032 - use MOZ_FORMAT_PRINTF in js; r=evilpie
MozReview-Commit-ID: DD3DJRkOxmC

--HG--
extra : rebase_source : 4f98705e5e2c5ff9860f04384abbc6f5dc18a7a9
2016-10-11 12:44:40 -06:00
Ehsan Akhgari
4a51ebacfa Bug 1310378 - Remove support for mozwidget; r=baku 2016-10-17 13:15:36 -04:00
Ehsan Akhgari
9de6bbbaec Bug 1261019 - Part 3: Remove Navigator.mozApps and code depending on it; r=myk,jryans,fabrice,mcmanus,peterv 2016-10-13 13:18:41 -04:00
Christoph Kerschbaumer
fb07f658e3 Bug 1305012 - Downgrade a new channel's principal to NullPrincipal. r=smaug 2016-10-05 21:19:51 +02:00
Cameron McCormack
418bfe72a3 Bug 1300720 - Part 2: Lazily initialize nsScriptSecurityManager::mFileURIWhitelist. r=bholley
MozReview-Commit-ID: 8cqHUlOnsEH
2016-10-03 12:43:17 +08:00
Olli Pettay
9f0454f829 Bug 1306300, null check nsILoadContext in GetLoadContextCodebasePrincipal, r=baku 2016-09-29 20:31:50 +03:00
Gijs Kruitbosch
7de765df42 Bug 1290668 - unbreak view-source links between http and https pages, r=smaug
MozReview-Commit-ID: B4nXTkMC5LE

--HG--
extra : rebase_source : ad7086b7ff58f44b12c3eaaf9b7be8c8955762a5
2016-09-27 13:31:53 +01:00
Tooru Fujisawa
10dd75211d Bug 1289050 - Part 2: Use ASCII or Latin1 variants of JS_ReportError in not-simple cases. r=jwalden 2016-08-15 19:20:01 +09:00
Jonathan Hao
8a70bfa5fc Bug 1302047 - Ignore userContextId and firstPartyDomain when matching permissions. r=baku
--HG--
extra : rebase_source : da81c21da92810d808ebe865a456cc9d04058ce3
2016-09-20 16:35:21 +08:00
Tracy Walker
ab9e34053d Bug 1279087 - In caps/tests/mochitests/bug995943.xul, widen range of assertion check for OSX 10.10 to 5-9 to reduce intermittent test timeouts. r=emk 2016-09-26 08:13:38 -05:00
Ehsan Akhgari
9d56bec7a1 Bug 1297687 - Part 5: Require passing an OriginAttribute when constructing an nsExpandedPrincipal; r=bholley 2016-09-22 13:28:04 -04:00
Ehsan Akhgari
e45aad00ec Bug 1297687 - Part 3: Ensure that the expanded principal of a sandbox has a sensible OriginAttributes; r=bholley
This patch allows specifying an OriginAttributes when creating a sandbox
using Components.utils.Sandbox() by specifying an originAttributes
member on the options dictionary.

If an OA is specified in this way, it is used for creating codebase
principals from the string arguments passed to the function.  Otherwise,
if one or more principals are passed in the array argument to Sandbox(),
the OA of the principal(s) is used to construct codebase principals from
the strings inside the array.  In this case, we check to make sure that
all of the passed principals have the same OA, otherwise we'll throw an
exception.

In case no explicit OA is specified and no principals are passed in the
array argument, we create the codebase principals using a default OA.
2016-09-22 13:27:51 -04:00
Ehsan Akhgari
5404c2dc93 Bug 1297687 - Part 2: Allow specifying an OriginAttribute when creating an expanded principal; r=bholley 2016-09-22 13:27:40 -04:00
Ehsan Akhgari
6b65aceec2 Bug 1297687 - Part 1: Remove nsIScriptSecurityManager.createExpandedPrincipal(); r=bholley 2016-09-22 13:27:33 -04:00
Christoph Kerschbaumer
bc9a70d964 Bug 1297338 - Introduce concept of principalToInherit to docshell and scriptSecurityManager. r=bz 2016-09-20 08:36:25 +02:00
Nicholas Nethercote
8c9e80a613 Bug 1297300 - Add missing checks to GetSpec() calls in caps/ and js/. r=mrbkap.
This required making GetScriptLocation() fallible.

--HG--
extra : rebase_source : a678e86c443988897d88550bec1cd1d21c3e919e
2016-08-30 14:22:04 +10:00
Michael Layzell
36e08437d0 Bug 1018486 - Part 8: Various other changes, r=smaug
MozReview-Commit-ID: B0dsomkWgEk
2016-09-07 10:50:45 -04:00
Yoshi Huang
10b437080c Bug 1260931 - Part 3: Propagate firstPartyDomain. r=smaug 2016-09-06 10:25:58 +08:00
Yoshi Huang
85a594681d Bug 1260931 - Part 1: add firstPartyDomain. r=smaug
Add an origin attribute called 'firstPartyDomain'.
This value will be extracted from the URL bar.

And the purpose of this attribute is used to isolate the data-jars.
Please see the tor documentation.
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

The idea is like a superset of 'reject third party cookies', but not
only apply for cookies, it also applies to all data-jars like localStorage,
indexedDB and so on.

So basically an iframe will have its own data-jar, and this data-jar is
isolated by the URL from URL bar, for instance, an iframe
https://facebook.com inside https://cnn.com won't share data-jar with
the iframe (https://facebook.com) in https://bbc.com
2016-09-06 10:25:48 +08:00
Sebastian Hengst
60d03b201e Backed out changeset 935ffd53f193 (bug 1260931) for failing xpcshell test test_packaged_app_service.js. r=backout 2016-09-05 21:16:10 +02:00
Sebastian Hengst
c9519f7c29 Backed out changeset b9afda2804fd (bug 1260931) 2016-09-05 21:15:29 +02:00
Yoshi Huang
6cca1d0c54 Bug 1260931 - Part 3: Propagate firstPartyDomain. r=smaug 2016-09-06 01:50:30 +08:00
Yoshi Huang
6c3b62e2fb Bug 1260931 - Part 1: add firstPartyDomain. r=smaug
Add an origin attribute called 'firstPartyDomain'.
This value will be extracted from the URL bar.

And the purpose of this attribute is used to isolate the data-jars.
Please see the tor documentation.
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

The idea is like a superset of 'reject third party cookies', but not
only apply for cookies, it also applies to all data-jars like localStorage,
indexedDB and so on.

So basically an iframe will have its own data-jar, and this data-jar is
isolated by the URL from URL bar, for instance, an iframe
https://facebook.com inside https://cnn.com won't share data-jar with
the iframe (https://facebook.com) in https://bbc.com
2016-09-06 01:50:15 +08:00
Wes Kocher
a2ca4e17ce Backed out changeset 1e7eb0625d3e (bug 1297687) a=merge 2016-09-02 13:18:37 -07:00
Sebastian Hengst
7080f0c942 Backed out changeset dd200883aa79 (bug 1260931) for permafailing test_child_docshell.html on Android debug. r=backout 2016-09-02 15:33:51 +02:00